ISO 9001 is fairly a general standard focusing on quality management system, for all type of organizations. However ISO 20000 is purely IT service quality. Domains such as configuration management have no ISO 9000 equivalence. Organizations choosing to implement ISO 9001 for IT departments should chose ISO 20000 as the latter provide a better return on investment.

What is the difference between ISO 9001 and ISO 20000?

ISO 9001 is fairly a general standard focusing on quality management system, for all type of organizations. However ISO 20000 is purely IT service quality. Domains such as configuration management have no ISO 9000 equivalence. Organizations choosing to implement ISO 9001 for IT departments should chose ISO 20000 as the latter provide a better return on investment.

What is common between ISO 9001 and ISO 20000?

The concept of 'quality' and 'customer satisfaction' is a generic objective that exists in both; The principle of Plan-do-check-act is common to all management system standards.

What is the difference between ISO 27001 and ISO 20000?

ISO 20000 focuses on quality of IT service delivery, whereas ISO 27001 focuses on information (including IT) risks especially vulnerabilities and their controls; ISO 20000 has components of IT service risks;
ISO 27001 has coverage on other aspects such as legal, physical and HR security whereas ISO 20000 focuses on IT risks only;
Journey of compliance of one standard can reduce the compliance journey of the other by almost half;

What is the common between ISO 27001 and ISO 20000?

One of the key domains of ISO 20000 is information security;
There are several controls on ISO 27001 which are common such as service provider SLA, reference to control on external service providers.

Journey of compliance of one standard can reduce the compliance journey of the other by almost half;

What is the difference between PCI-DSS and ISO 27001?

The definition of information in PCI DSS is any card information that is 'stored, processed, and transmitted' in the client environment. The definition of information in ISO 27001 is 'anything that has a business value'.

Both standards are aimed at data protection, the difference in PCI-DSS lies is detailing and specificity. ISO 27001 on other hand is much more generic.

PCI-DSS is very specific on how a control implementation has to be achieved and in case a primary control is not implemented the scope of compensatory control is well defined. ISO 27001 on the other hand has a room for interpretation and may suffer implementation compromise in the hands of the implementers. Elements on database security are much more specific in PCI DSS than ISO 27001.

What is common between PCI-DSS and ISO 27001?

At the network layer, PCI-DSS principles are fairly covered in ISO 27001. Both standards have a reference to continual improvement.

What is the difference between ISO 27001 and SSAE-16 (previously SAS 70) or ISAE 3402?

ISO 27001 is an information risk management standard aimed at an organisation, and to protect their own asset; SSAE-16 is an attestations standard by a US based CPA is aimed at ensuring that service provider has implemented all risk management controls including information security governance.

What is common between ISO 27001 and SSAE-16 (previously SAS 70) or ISAE 3402?

ISO 9001 is a management system standard for quality management system, whereas ISO 27001 is for information security management system. The eventual output of ISO 9001 is a customer satisfaction, whereas for ISO 27001 it is information risk reduction.

What is common between ISO 27001 and BS 25999?

Both standards focus on risk assessment as a common point but the objectives are different. ISO 27001 focuses on removing vulnerabilities whose exploit that can result in an incident, whereas BS 25999 focuses on restoration vulnerabilities such as not having a plan in place;

What is common between ISO 9001 and ISO 27001?

The only area that is common is the existence of document management system and the spirit of plan-do-check-act.

What is the difference between ISO 20000 and BS 25999?

BS 25999 is about business services, whereas ISO 20000 is about IT services;

ISO 20000 has a domain - 'IT service continuity' which requires a plan in case of an outcome;

BS 25999 requires a plan for each individual event and outcome and encompass personnel, infrastructure and network failures;

What is common between ISO 20000 and BS 25999?

Requirement for a documented management system is common all management standard;

Information reflects opinions of Probal Choudhuri (Founder - CEO) - Coral eSecure. The reader should understand the difference in the context of a macro analysis, rather than micro analysis. Please do not hesitate to write to him at pc@www.coralesecure.com.

Disclaimer: Coral does not guarantee the accuracy of the above listed information as they are subject to regular changes. Coral shall not be held responsible for any action taken resulting in loss due to information reference made herein. Some of the interpretation involved the opinion of Coral consultants and their experience, which is a result of several years of consulting, implementation and training experience. There can be situations where readers may disagree with such opinions.